Hack.lu 2007 Christophe Monniez Miguël Blauwbloeme Hillar Leoste

Slides:

Advertisements

Similar presentations

Honeynet Introduction Tang Chin Hooi APAN Secretariat.

Advertisements

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

Site Collection, Sites and Sub-sites

Εμμανουήλ Βασιλομανωλάκης Υποψήφιος Διδάκτωρ Telecooperation Group, Technische Universität Darmstadt Center for Advanced Security Research Darmstadt (CASED)

By Hiranmayi Pai Neeraj Jain

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Chapter 9 Deploying IIS and Active Directory Certificate Services

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

FTP Server prepared by Mohammed Ibrahim Programmer Computer & Internet Center Mosul University Presentation.

Microsoft ® Official Course Module 9 Configuring Applications.

INTRODUCTION TO WEB DATABASE PROGRAMMING

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

IDS – Intrusion Detection Systems. Overview  Concept  Concept : “An Intrusion Detection System is required to detect all types of malicious network.

Kirby Kuehl Honeynet Project Member 05/08/2002 Intrusion Deception.

Detecting Client-side Exploits with Honeyclients Kathy Wang The Honeyclient Project 9/17/2008RAID 2008.

Honeypot and Intrusion Detection System

Live Forensics Investigations Computer Forensics 2013.

LinkWare LinkWare is a web-enabled, open platform for generation and distribution of electronic technical documentation and e–catalogues. The LinkWare.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

KFSensor Vs Honeyd Honeypot System Sunil Gurung

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

Contents 1.Introduction, architecture 2.Live demonstration 3.Extensibility.

HONEYPOT By SIDDARTHA ELETI CLEMSON UNIVERSITY. Introduction Introduced in 1990/1991 by Clifford Stoll’s in his book “The Cuckoo’s Egg” and by Bill Cheswick’s.

Presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH.

Hands-On Microsoft Windows Server Implementing Microsoft Internet Information Services Microsoft Internet Information Services (IIS) –Software included.

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

Setting up Cygwin Computer Organization I 1 May 2010 ©2010 McQuain Cygwin: getting the setup tool Free, almost complete UNIX environment emulation.

CS Capstone OS Tools for OpenBSD Overview Presentation Team Fugu.

CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.

L.T.E :: Learning Through Experimenting Using google-svn for MtM Docs Development Denis Thibault Version 3.2 Mar 12 th, 2009.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

MICROSOFT ONENOTE ADVANCED MODULE 1 EXPLORE ONENOTE 2010  Navigate in the OneNote program window  Work in the OneNote program window  Explore.

Transition to SVN server: follow up P.Hristov 24/01/2008.

- World Class, Industry Leading Customer Support.

CNIT 125: Honeypot and Malware Presentation Alan Wennersten Jeffrey Tom.

ITMT Windows 7 Configuration Chapter 7 – Working with Applications.

Corrado LeitaSymantec Research Labs Ulrich Bayer Technical University Vienna Engin KirdaInstitute iSecLab.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.

Computer & Network Security

CompTIA Security+ Study Guide (SY0-401)

Internet Quarantine: Requirements for Containing Self-Propagating Code

Top 5 Open Source Firewall Software for Linux User

Modern Honey Net An Introduction.

Getting Started with R.

MICROSOFT OUTLOOK and Outlook service Provider

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

ADVANCED PERSISTENT THREATS (APTs) - Simulation

Module 3 Building a web app.

CompTIA Server+ Certification (Exam SK0-004)

Getting Started with LANGuardian

CompTIA Security+ Study Guide (SY0-401)

Honeypots and Honeynets

Honeypots and Honeynets

Information Security Session October 24, 2005

Chapter 3. Basic Dynamic Analysis

Chap 10 Malicious Software.

Honeypots and Honeynets

Oswaldo Angeles 1st Period

Online Multilevel Media Sharing

Cygwin: getting the setup tool

Honeyd Build it Create a script/program to simulate one

Sending data to EUROSTAT using STATEL and STADIUM web client

Outline Announcements: Version control with CVS HW II due today!

Presentation transcript:

Hack.lu 2007 Christophe Monniez Miguël Blauwbloeme Hillar Leoste Capturing Malware Hack.lu 2007 Christophe Monniez Miguël Blauwbloeme Hillar Leoste

Nepenthes What is it ? low interaction honeypot simulates 22 vulnerabilities : MS windows Dameware MSSql IIS ... Listening on 26 ports Capture malwares that use those vuln to propagate C.Monniez - FCCU

Nepenthes Where to get it http://nepenthes.mwcollect.org Runs on Gnu/linux, OpenBSD, FreeBSD, Mac OSX, Cygwin Where to find it : Official Debian package (0.1.7-3) Unofficial Debian package (0.2.0-1) http://home.lucianobello.com.ar/nepe nthes/ Download and compile from the subversion repository : svn co https://svn.mwcollect.org/nepenthes/ trunk/ C.Monniez - FCCU

Nepenthes Useful features Does nothing else than waiting for malware by default Module architecture A module to synchronize malware repositories between two nepenthes sensors with https://beta.mwcollect.org/ to a database to a web server C.Monniez - FCCU

Nepenthes Useful features A norman sandbox module automatically send to norman sandbox report is received by mail maybe broken due to captcha ... a lot more module to explore pcap ... C.Monniez - FCCU

Nepenthes Useful features hexdumps of unknown attacks C.Monniez - FCCU

Nepenthes Where to place it ? In front of your internet connexion Examples On a gateway between your internal net and internet Side by side with your gateway if you can have another internet IP C.Monniez - FCCU

Nepenthes Where to place it ? In some sort of DMZ Example Forward the 26 ports from your internet GW to the sensor C.Monniez - FCCU

Nepenthes Where to place it ? In your office intranet !!! A good way to track malwares that are spreading in your internal network C.Monniez - FCCU

Nepenthes Where to place it ? At some ISP :-) C.Monniez - FCCU

Nepenthes Border filtering It seems that some ISP are doing border filtering in this case, you only capture malware coming from people at the same ISP C.Monniez - FCCU

Nepenthes Captured binaries Binary files are stored your disk the name of the binary is the md5 hash C.Monniez - FCCU

Nepenthes Log files nepenthes.log a very verbose log file of what nepenthes did logged_downloads filename and from where malware was downloaded logged_submissions filename, from where it was downloaded and md5hash C.Monniez - FCCU

Nepenthes Log files logged_downloads screenshot C.Monniez - FCCU

Nepenthes Log files logged_submissions screenshot C.Monniez - FCCU

Other tools Honeytrap Collect unknown attacks informations http://honeytrap.mwcollect.org/ honeyd Honeybow http://honeybow.mwcollect.org/ High interaction honeypots honeynet C.Monniez - FCCU

Other tools Bleeding snort On windows : Honeybot (mid interaction honeypot) http://www.atomicsoftwaresolutions.com/honeybot.p hp Multipot http://labs.idefense.com/software/malcode.php#more_multipot C.Monniez - FCCU

Online sanboxes Sunbelt sandbox Norman sandbox Anubis Threat expert http://research.sunbelt-software.com/Submit.aspx http://www.cwsandbox.org/ Norman sandbox http://www.norman.com/microsites/nsic/Submit/en-us Anubis http://analysis.seclab.tuwien.ac.at/index.php Threat expert http://www.threatexpert.com/submit.aspx C.Monniez - FCCU

Online sanboxes Virus Total http://www.virustotal.com/fr/ C.Monniez - FCCU

question time Questions ? C.Monniez - FCCU